Tag Archives for dm-crypt

In a fit of either curiosity or tinfoil induced paranoia, you decide to set up full disk encryption on your machine. But it’s really annoying because you have multiple physical disks, and you can’t be arsed entering passwords for each one separately at boot up. So what do you do? You stick a keyfile on the first encrypted disk, and decrypt the others with that instead of a password. That way they are “chained” together – the password decrypts the first disk, which unlocks the file to decrypt the secondary disks.

Here’s how you do it (works on debian wheezy):

Encrypt all disks normally using luks/cryptsetup/disk utility

Set them all up to be mounted at boot by fiddling with crypttab and fstab (arch wiki should have you covered)

add the keyfile to a luks keyslot on the secondary drives: # cryptsetup luksAddKey /dev/[volume] /path/to/mykeyfile

fiddle with crypttab to make it use the keyfile on boot: [volume]_crypt UUID=deadbeef-dead-beef-dead-beefdeafbeef /path/to/mykeyfile luks

reboot and test it

Be sure not to store the keyfile somewhere stupid where it will be unencrypted, like in /boot for instance. Bonus points for being patient and using a better source of randomness than /dev/urandom. The usual disclaimers apply, I don’t really know what I’m talking about, so don’t use this method to secure your nuclear launch codes, blame me if someone steals your data, or blame me if you can’t decrypt the drive and lose all your data.